-----BEGIN PGP SIGNED MESSAGE-----
CERT(*) Summary CS-96.05
September 24, 1996
Last Revised: October 2, 1997
Updated copyright statement
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Clarification to CS-96.04
- -------------------------
In our previous CERT Summary, we said that the intruder community is
developing new techniques and tools to analyze programs for potential
vulnerabilities even in the absence of source code. We did not mean to imply
that all developers of these techniques in the wider technical community are
members of the intruder community, nor that they intend their work to be used
by the intruder community.
Recent Activity and Trends
- --------------------------
Since the July CERT Summary, we have noticed these trends in incidents
reported to us.
1. Denial of Service Attacks
Instructions for executing denial-of-service attacks and programs to
implement such attacks have recently been widely distributed. Since
this information was published, we have noticed a significant and
rapid increase in the number of denial-of-service attacks executed
against sites.
To learn more about denial-of-service attacks and how to limit them,
see
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
To monitor and log an attack, you can use a tool such as Argus. For
more information regarding Argus, see
ftp://info.cert.org/pub/tech_tips/security_tools
2. Continuing Linux Exploitations
We continue to see incidents in which Linux machines are the victims
of break-ins leading to root compromises. In many of these incidents,
the systems were misconfigured and/or the intruders exploited
well-known vulnerabilities for which CERT advisories have been
published.
If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We also recommend that you review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
3. PHF Exploits
At least weekly, and often daily, we see reports of password files
being obtained illegally by intruders who have exploited a
vulnerability in the PHF cgi-bin script. The script is installed by
default with several implementations of httpd servers, and it contains
a weakness that allows intruders to retrieve the password file for the
machine running the httpd server. The vulnerability is described in
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
Once the intruders retrieve the password file, they may attempt to
crack the passwords found in the file. For information about
protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
4. Software Piracy
We have received frequent reports regarding software piracy since the
last CERT Summary was issued. Although software piracy is beyond the
scope of the mission of the CERT Coordination Center, it is often
associated with compromised hosts or accounts because intruders
sometimes use compromised hosts to distribute pirated software. News
of illegal collections of software circulates quickly within the
underground community, which may focus unwanted attention on a site
used for software piracy.
We encourage you to periodically check your systems for signs of
software piracy. To learn more, please examine our relevant tech tips:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
To learn more about detecting and preventing security breaches, please see
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (July 23,
1996).
* README Files Incorporated into Advisories
As of August 30, 1996, we no longer put advisory updates into README files. We
now revise the advisories themselves. In addition, we have updated past
advisories with information from their README files. We urge you to check
advisories regularly for updates that relate to your site.
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.14.rdist_vul
CA-96.15.Solaris_KCMS_vul
CA-96.16.Solaris_admintool_vul
CA-96.17.Solaris_vold_vul
CA-96.18.fm_fls
CA-96.19.expreserve
CA-96.20.sendmail_vul
CA-96.21.tcp_syn_flooding
ftp://info.cert.org/pub/cert_bulletins/
VB-96.12.freebsd
VB-96.13.hp
VB-96.14.sgi
VB-96.15.sco
VB-96.16.transarc
ftp://info.cert.org/pub/latest_sw_versions
swatch
ftp://info.cert.org/pub/tech_tips
UNIX_configuration_guidelines These replace the security_info file
intruder_detection_checklist (the CERT Security Checklist).
security_tools
ftp://info.cert.org/pub/vendors/
hp/HPSBUX9607-033 Added Hewlett-Packard bulletin about a
security vulnerability in expreserve.
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-96.02.bind In the appendix, updated Sun
Microsystems, Inc. patch information.
In section I, added information about
the next release of bind and the
IsValid program.
CA-96.08.pcnfsd Updated URL for IBM Corporation,
updated Hewlett-Packard Company patch
information, and modified NEC
Corporation patch information.
CA-96.09.rpc.statd Updated URL for IBM Corporation,
removed a workaround for SunOS 4.x
(patches now available), updated
information on Hewlett-Packard
Company, and added patch information
for NEC Corporation. Also updated
opening paragraph.
CA-96.14.rdist_vul In Appendix A, added note under
Silicon Graphics, Inc. about using the
find command, updated the
Hewlett-Packard Company entry, added
information about Digital Equipment
Corporation, and added an IBM
Corporation URL.
CA-96.15.Solaris_KCMS_vul In Introduction, added information
about Solaris 2.5.1.
CA-96.18.fm_fls Added vendor information to Appendix A.
Added Section III.B, which provides
another possible solution to the
problem.
CA-96.19.expreserve In Appendix A, added information for
Silicon Graphics Inc. and Sun
Microsystems, Inc.
CA-96.20.sendmail_vul Added to Sec. III.B instructions on
configuring sendmail at sites that use
'&' in the gecos filed of /etc/passwd.
Added to Sec. III.C a note on uid for
"mailnull" user. In the appendix, added
information from FreeBSD, Inc. and
Berkeley Software Design, Inc. (BSDI).
ftp://info.cert.org/pub/FIRST
first-contacts
ftp://info.cert.org/pub/latest_sw_versions
rdist-patch-status Updated information for
Hewlett-Packard Company and NeXT
Software, Inc. information. Updated
rdist version information in
Section II.G.
sendmail
ftp://info.cert.org/pub/tech_tips
root_compromise
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:
Oct 02, 1997 Updated copyright history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDgB+XVP+x0t4w7BAQGMvQQAqF3Io10v2dwqi+/PuGVAR4u1OqxUIq2Q
12+JRwiHpmDSkIc2neqmanI6Ifk5zTGIvzyObPETYaKonxz0KqjW/iwm+MbCAN9V
m5Kp1/8VgvhDymUx/sep0OIn2VusCEVhvcVcVIQ7OQtXrPVlib5yD4m4vGc1mJyJ
X8LG259U4/4=
=E6f3
-----END PGP SIGNATURE-----